A denial-of-service flaw within the Linux kernel’s KSMBD (SMB Direct) subsystem has raised alarms throughout the open-source group.
Tracked as CVE-2025-38501, the difficulty permits a distant, unauthenticated adversary to exhaust all accessible SMB connections by exploiting the kernel’s dealing with of half-open TCP periods.
Key Takeaways1. CVE-2025-38501 lets attackers exhaust KSMBD connections through half-open TCP handshakes.2. PoC “KSMBDrain” floods servers with SYN packets to set off the flaw.3. Patched in Linux 6.1.15+; improve or rate-limit port 445.
A public proof-of-concept exploit, dubbed KSMBDrain, demonstrates how attackers can overwhelm a KSMBD server just by initiating 1000’s of TCP three-way handshakes after which failing to finish the session, inflicting the server to carry sockets indefinitely.
KSMBD DoS Assault
The flaw originates from KSMBD’s default habits of retaining incomplete connections with out an higher restrict on pending SYN–ACK sockets. When a shopper sends a SYN, the kernel replies with a SYN–ACK and awaits the ultimate ACK.
If that ACK by no means arrives, KSMBD will maintain the connection slot open. By repeatedly sending SYN packets from a single IP deal with, an attacker can saturate the server’s max_connections restrict configured in /and so on/ksmbd/ksmbd.conf, leading to an entire denial of subsequent authentic SMB site visitors.
Though directors can set a handshake_timeout as little as one minute, this solely slows the assault quite than stopping it, since an attacker can constantly reopen new half-open periods.
The publicly accessible PoC, written in Python, leverages uncooked sockets to mass-spawn handshake makes an attempt. A snippet from poc.py reveals the simplicity of the exploit:
KSMBD DoS Assault
Operating this script towards a weak server rapidly depletes the connection pool, rendering SMB shares inaccessible and successfully halting file transfers and authentication companies.
Danger FactorsDetailsAffected ProductsLinux Kernel KSMBD subsystem (variations 5.3 and later)ImpactDenial of ServiceExploit PrerequisitesNetwork connectivity to focus on KSMBD server on TCP port 445; No authentication requiredCVSS 3.1 ScoreNot but assigned
Mitigations
The vulnerability was launched in Linux kernel 5.3 when the KSMBD module was merged into the mainline. Upstream maintainers addressed the difficulty in commit e6bb9193974059ddbb0ce7763fa3882bd60d4dc3, which provides a configurable backlog restrict and enforces a shorter tcp_synack_retries threshold for half-open sockets.
Distributions have begun rolling out up to date kernel packages; customers ought to apply the repair by upgrading to Linux 6.1.15 or later.
In environments the place a right away kernel improve is impractical, network-level charge limiting on TCP port 445 and stricter firewall guidelines might help mitigate exploitation.
Moreover, safety groups are suggested to watch for an irregular variety of SYN packets and to regulate KSMBD’s user-space settings to decrease handshake_timeout and restrict backlog counts.
As SMB companies stay a crucial element for file sharing and authentication in enterprise networks, immediate patching is crucial.
The KSMBDrain exploit underscores the significance of defending towards useful resource exhaustion assaults that leverage protocol-level quirks quite than code injection or privilege escalation.
Steady monitoring and sustaining up-to-date kernel variations will mitigate the danger posed by CVE-2025-38501.
Free reside webinar on new malware ways from our analysts! Study superior detection methods -> Register for Free
